Jim Harper

Reversing the Course of a River

Bruce Schneier is a smart and interesting guy. His sound thinking on computer security has influenced me a great deal, and it extrapolates well into related fields like national security. So I’m always interested to find writings of his with which I disagree. A recent essay in Wired, entitled “Our Data, Ourselves” is one. It calls for “a comprehensive data privacy law.”

This law should protect all information about us, and not be limited merely to financial or health information. It should limit others’ ability to buy and sell our information without our knowledge and consent. It should allow us to see information about us held by others, and correct any inaccuracies we find. It should prevent the government from going after our information without judicial oversight. It should enforce data deletion, and limit data collection, where necessary. And we need more than token penalties for deliberate violations.

If he really believes that these rules should govern the collection and use of data - “all information about us”! - what an administrative nightmare that would be to implement. The benefits of doing so would be quite small in comparison.

Some of these things are agreeable, such as judicial oversight of government data collection (the Fourth Amendment is that law) but even a solid libertarian like myself wouldn’t endorse judicial oversight of government officials looking up information about me on public Web sites, for example.

And should I have a right to review any email in which people discuss this blog post and its author? Incredible.

The flaw in this article (beyond its carelessness) is Bruce’s treatment of these information practices as all-new, and needing an all-new regulatory regime, just because decision-making is now undertaken using “data.”

“Whoever controls our data can decide whether we can get a bank loan, on an airplane or into a country. Or what sort of discount we get from a merchant, or even how we’re treated by customer support.”

But it’s always been true that decisions like these are made using “data” - perhaps not in digital form, but data/information all the same. When has a decision ever been made not using “data”? We don’t need to throw out old rules about privacy, fairness, and so on just because information is digitized.

Many of Schneier’s premises are correct. The change from analog to digital data systems does cause a lot more tracks to form behind people as they traverse the economy and society. This creates lots of efficiency, convenience, wealth, and problems - threats to privacy, fair treatment, personal security, seclusion, and liberty. Let’s deal with them - each one - on their merits rather than trying to write a single law to overhaul the use of information in society.

Reversing the course of a river would be a tiny problem compared to what Schneier proposes.

May 20, 2008 | Comments |

Viewing 24 Comments

    • ^
    • v
    The privacy issue remains locked in pre-internet thinking. Maintaining my privacy was easier before I started blogging, updating my Twitter status, revealing my interests on Facebook, sharing my reading habits, traffic, and purchases with everyone who would give me something fun or rewarding. All of these privacy reveals have been of my own free will and with the risk that some of that information, like my email, might be used in ways I wouldn't want (like spam). This is why I don't post my cell phone on Facebook or pictures of me drunk. I don't feel I'm censoring myself (I don't drink), but I'm acknowledging the reality of privacy on the web.
    • ^
    • v
    What Schneier proposes is quite similar to what italian law mandates. Since 1996, if you collect personal data for commercial (or government) purposes you have to get an explicit consent, state why you are collecting data and avoid collecting unnecessary data. You must also allow some control on personal data, exactly in the terms Schneier advocates (see your data, corrections, deletion, ...).

    Organizations have to protect the collected data from unauthorized access and send an yearly report to the independent "Privacy authority" stating what you do with the data, who accesses it, ...

    As far as I know, the law works quite well. Well-organized businesses do not usually have trouble implementing the necessary changes, while individuals and scientific research bodies have only limited responisibility (except for "critical data" such as health information).
    • ^
    • v
    Well, he didn't limit his proposal to commercial or governmental purposes. Perhaps that was just carelessness, but even if he meant to include such limits, why are people's privacy interests strong as to governments and corporations, but then weak as to other individuals, partnerships, and associations (and perhaps non-profits)?

    And I'm not impressed with the Italian law. In January, I spoke at a small conference there, and we had to sign forms agreeing to allow the other speakers to learn who we were. It was silly, unnecessary bureaucracy, and I still don't know who half the other speakers were.
    • ^
    • v
    One of the critical reforms that we need is to make those who maintain large databases partially liable for identity theft when they get hacked and their data is used against the public. Responsibility should be on the large institutions, not the individual, when they are the ones who are enabling the crime. It should also be this way with credit cards. If a bank lets someone sign up for a credit card in my name, the bank should be not only liable for all damages, but should be legally liable for clearing my good name with the credit bureaus.
    • ^
    • v
    I largely agree, MikeT. Letting common law tort liability emerge for various harms caused by data holders would be a good thing. I haven't written enough on this, but talked about it in a TechKnowledge a few years ago.

    http://www.cato.org/tech/tk/050329-tk.html
    • ^
    • v
    Identity theft is largely the fault of these institutions. There have been reports that ripped up credit card applications were actually processed when someone tested the system by taping them together and sending them in. Unacceptable. It is way too easy for people to get these institutions to take financial action without proving the identity of the person making the request.
    • ^
    • v
    I also agree with MikeT. If the full costs of these data breaches were borne by the people storing the data, we'd see a lot less data collected and it would be much better protected. As it stands, having to pay out for a year's credit reporting for a few people is just a cost of doing business, while the costs to people who's data is mis-used is huge.
    • ^
    • v
    I am of the mind of holding those responsible for the data breach accountable. If we were able to control our information that private groups collect, my opinion would differ. However, a person really has little say as to how their information can be used or deny an organization's request to obtain personal information.

    However, I am so glad I did not go to Oklahoma State University...See the URL below:
    http://chronicle.com/wiredcampus/article/3010/s...
    • ^
    • v
    No, I think you're quite wrong. Norway has a law which is pretty much what Schneier is calling for, here. It is easily administrated, mainly through a tiny government body called the Data Inspectorate which has a strong, independent position to have oversight over both private and public data. It is simple, easy, and my oh my I am glad we have it.
    • ^
    • v
    Norway's law is quite a bit more limited, specifically excluding private data processing. But I bet the source of its success is its non-use. Martin, could you describe an instance when you have exercised your rights under the law, demanding to inspect and correct data, say, held by your phone company? How did it go?
    • ^
    • v
    What both privacy laws and privacy opponents fail to address is that a substantial part of your everyday freedom relies absolutely on facts such as: your boss can't find out that you support political causes he opposes, follow a religion he dislikes, or have friends he hates; your landlord can't find out that you engage in sex practices he thinks are sinful.

    As new technology removes these inabilities, it becomes imperative that the law either put them back in place, or introduce new laws to prevent employers and landlords from discriminating based on information of the types in my examples. Otherwise you are no longer free to have a private life that your boss or landlord doesn't approve.

    And discrimination about those things is going to be impossible to prove. That is why gathering the info needs to be banned.
    • ^
    • v
    JDG, do you realize that you're talking about limiting the freedom of the employer and the landlord to deal with whom they choose? Why should one "side" in any transaction enjoy legal rules giving them superior information to the other?

    Maybe you think that there should be elaborate rules dictating what employers and landlords (and participants in all kinds of other markets) can consider, denying them the ability to control the nature of their society, but that sounds like the administrative nightmare I talked about. And it would be quite unfree.
    • ^
    • v
    The problem is fascism. Government and business have been in bed together all our lives. They use and control the data. This is a global problem. Until we as humans can evolve past this state, either mentally or through force, there will be more of the same. You can't expect the people causing the problem to actually want to fix the problem.
    • ^
    • v
    Similar laws like the ones proposed exist in countries such as the UK, any information collected about a citizen by any organisation has to be available to that person.
    • ^
    • v
    I'm not sure I agree that making those who lose data liable is the right answer to this question. Let's analyze this approach a bit further.

    Normally, if one person's negligent act or omission injures another, the negligent person can be liable in tort. So, for instance, if you get distracted and drive into the back of someone else's car, you can be legally liable for the damage you cause to their car. This same principle should apply to a corporation that injures someone by leaking that person's sensitive data, unless there is some law that shields the corporation from liability. I don't know whether such a law exists, but for the sake of argument let's assume it doesn't.

    So, assuming these people are already liable in tort, the next question is why aren't they changing their behavior under a flood of lawsuits?

    Two possibilities come immediately to mind. The first is that no one person is hurt enough to justify the year or two of effort and $50K-$150K in legal fees it'd take to win a judgment. The classic solution to that sort of problem is to allow class actions: let a whole class of plaintiffs pool their similar claims, with one legal team leading the charge, and divvy up any damages they recover. I, personally, don't have a big problem with class action lawsuits in the right circumstances, but the current political and legal climate seem to frown on them.

    The second possibility is that those data collecting entities may be able to contract around liability. Maybe when you sign up for your credit card, for instance, the contract includes a clause that says, in effect, "you agree not to sue us if we lose your data." But if all the credit card companies had a clause like that, then no one would end up suing them for data loss because the only way to get a credit card would be to agree to a contract waiving your right to sue. The classic solution to that kind of problem is to pass a consumer protection law which says, in effect, you can't waive your right to sue someone who loses your data even if you want to waive that right. Again, I don't have a big problem with consumer protection laws in the right circumstances, but they're not the sort of thing I'd normally expect this forum to support.

    Finally, if you're interested in overall economic efficiency, litigation is usually a poor choice. It's generally slow, expensive, and inefficient. There are times when it's necessary or appropriate, but are you sure you really want it as your primary enforcement mechanism?
    • ^
    • v
    One correction--I should have said "liable in tort" in that opening sentence. The privacy law would impose its own kind of liability.
    • ^
    • v
    FD, there have been a couple of cases where data holders are held liable in tort for releasing data, including one case on permitting identity fraud. I cite them at the end of the piece linked to in my second comment above.

    If you're asking why there isn't a flood of lawsuits right now, I think it's the first possibility you mention: because there isn't very much in the way of damages. Only a tiny percentage of data breaches result in any identity fraud happening.

    I, too, would be amenable to well-circumscribed class actions, pursuing actual damages only, but that's hard to reach. It seems like half the world hates litigation, and the other half wants to use it as a quasi-regulatory tool and a source of jackpots.

    That said, I prefer litigation to regulation because at least common law is self-correcting over time. Regulation represents the best guess of a legislature or bureaucracy about what the rules should be, which draws interest groups around it to freeze it in place, and it almost never changes. (I agree it's a close call between the two options.)
    • ^
    • v
    Here in the province of Quebec (Canada) there is such a law that says that contract clauses that demand to waive your rights are illegal. Some businesses still put them in their contracts but they cannot be enforced. The trouble with litigation is that it is much to expensive for the great majority of the population and the balance of power of an individual to a business is much too small. Corporation usally have more and better resources than individuals. On top of that, at least in Canada, legal expenses are tax deductible for businesses while for the individual they are not.
    • ^
    • v
    Hey, Jim,
    The Data Inspectorate mostly takes care of these things _for_ me, ensuring that the creation of new archives containing information about me are strictly monitored for need, privacy & so forth. The law is not a sleeping law at all, quite the contrary, it is very active (mostly in that it is followed, more observed than violated), and while it is a source of debate (e.g. the unification of medical records: expediency of medical help vs. right to privacy and risk of data theft), it is also generally held to be one of the most successful specifically Norwegian institutions.

    But yes, I have used this law on several (at least three that I can think of) occasions in order to make companies delete information about me that they shouldn't have, and were using for commercial purposes. On one occasion I reported the company (a small, dubious cell-phone-oriented internet portal, which is thankfully no longer around) to both the Data Inspectorate and the consumer protection doodad, the official name of which escapes me at the moment. Both institutions came through for me, and they forced the company to change its practices or face substantial daily fines (the doodad got there first, but the inspectorate could have done the same).

    After I started my single-person company, it has gotten a bit harder to do, though. Being both a private individual and a public institution makes parts of my personal data publicly available. Which is as it should be, but does annoy me occasionally (e.g. with the damn phone salesmen, which I had reserved myself against previously – when they call me now, I make them delete their records of my number, but every now and then new ones trawl the public listings and find it.)

    But I do think you're reading Schneier wrong. Emails discussing this blog post, for instance, are obviously private communications and protected by current privacy laws anyway. I think he is quite simply arguing for a law curtailing the right of institutions to store data about you. It's a great idea, and while I haven't read all of this thread yet, I have yet to see a good argument against it.
    • ^
    • v
    Having read it several times, I'm quite certain that Schneier didn't limit his proposal to exclude private communications as the Norwegian law does.

    But sense you have a commercial enterprise, I'll bite:

    Given my right to request it under Chapter III, Section 18, of the Act of 14 April 2000 No. 31 relating to the processing of personal data, please inform me of the kind of processing of personal data your company is performing, and specifically:
    a) the name and address of the controller and of his representative, if any,
    b) who has the day-to-day responsibility for fulfilling the obligations of the controller,
    c) the purpose of the processing,
    d) descriptions of the categories of personal data that are processed,
    e) the sources of the data, and
    f) whether the personal data will be disclosed, and if so, the identity of the recipient.

    You may post it here or send it to me at jharper at cato dot org and I'll start a new thread about it.

    This oughtta be fun!
    • ^
    • v
    A difference in quantity can become a difference in quality - if large enough. Horseback riding and the automobile are both forms of transportation. In fact the first cars were worse transportation means than horses. Yet gradual enhancements finally became qualitative difference - and changed the face of our civilization.
    To me it's evident, that the same is happening to our data shadow going from analog to digital: Our shadow is quickly taken to modeling so many of our real life facets, habits, preferences, means, abilities, history, opinions, contacts etc, etc, that the impact of others analysing or manipulating our shadow have quickly gone from a small quantative to a big qualitative change - in out behavior and in terms of the power this holds over us.
    • ^
    • v